Red October, the espionage campaign uncovered by Kaspersky Lab this week after attackers spent five years actively spying on diplomats, scientists, and governments worldwide, is using a Java exploit to infect its victims, bringing the exploit count to four in this campaign.
Seculert, an Israeli security company, said today it has investigated one of the command and control servers in the Red October infrastructure and found a website serving an exploit targeting CVE-2011-3544. The vulnerability is in Java 7 and 6 u27 and earlier. According to the CVE alert, the flaw allows remote untrusted Java Web Start applications and untrusted applets to execute malicious scripts. Oracle patched the vulnerability in October 2011.
Kaspersky Lab had previously identified three Red October exploits, all of them malicious Excel or Word documents attached to spear phishing emails. The company was alerted to the spear phishing campaign by an unidentified partner, which led them to Red October. Researchers found several hundred infections and initially identified the three exploits and upwards of 1,000 unique malware files in 30 different categories including reconnaissance, data collection, code execution, credential harvesting and more. The exploits targeted mobile devices, workstations and removable storage drives.
Kaspersky found 60 domains in the C&C infrastructure and server hosts mainly in Germany and Russia that act as proxies hiding the true C&C server. It was able to sinkhole a half-dozen of the C&C servers and observed 55,000 connections since Nov. 2 from close to 250 IP addresses in 39 countries.
Aviv Raff, CTO and cofounder of Seculert, said the Java-based attacks used in the campaign also relied on spear phishing emails, these containing a link to a malicious webpage, purporting to be a news site, coded in PHP that would exploit the Java flaw downloading malware quietly in the background. Raff said the exploit’s JAR file was compiled in February, three months after the patch was released.
Raff said the attackers have since moved from PHP to CGI as their C&C scripting engine.
“Unfortunately for the attackers, after moving their server-side engine to CGI, accessing the PHP exploit web pages now displays the source code of the server side, instead of rendering the exploit,” Raff wrote in a blogpost. “This allowed us to take a sneak peak to the behind the scenes of their operation.”
Raff was able to examine the exploit’s source code and determined the malware payload URL is encoded before it is passed to the malicious applet and is decoded only when the exploit is executed. Raff said the all of the victim’s information is logged.
“We can see that the attackers are adding a fingerprint at the end of the malware executable, which includes the unique identifier of the targeted victim,” Raff said. “This is the same unique identifier which is used by the malware later on while communicating with the [command and control] servers.”
Kaspersky said each successful attack is customized for the victim based on the information collected by the malware on system configuration and more; activity is carefully managed and organized by the attackers.
“All the attacks are carefully tuned to the specifics of the victims,” said Kurt Baumgartner, senior security researcher at Kaspersky. “For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.”
“Later, there is a high degree of interaction between the attackers and the victim – the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on,” Baumgartner said. “Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more personal and finely tuned for the victims.”
Kaspersky researchers were unwilling to link Red October, also known as Rocra, to Flame and other such espionage malware campaigns. Red October could be a copycat; some Flame exploit sites also were news themed and had the same “NewsForYou” server side control handler, Raff said.
The campaign targets not only Office documents, email messages and a long list of document types including the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide,” the Kaspersky report said. “During the past five years, the attackers collected information from hundreds of high profile victims although it’s unknown how the information was used. It is possible that the information was sold on the black market, or used directly.”